COVID-19: Practical steps against fraud for the credit union sector

Since the beginning of this pandemic, we have witnessed a significant change in consumer spending patterns and how payments are made. There is now significant data that points to an explosion in the use of contactless, digital and non-cash payments.

The credit union sector in Ireland is well-versed in transacting using digital means. Most credit unions offer an online transaction service through a hosted platform which is managed and controlled by a specialist service provider. CUSOP is an independent company operated by The Irish League of Credit Unions and individual credit unions that provides participating credit unions with an electronic payments service. Since its establishment in 2013, CUSOP has been adopted by over half of the credit unions in the Republic.

The European Commission has also established common rules for electronic and non-cash payments. Their payment services directives (PSD 1 & PSD 2) include provisions to ensure increased security and standards for payments throughout the European Union. 

Since March 2020, the increased volume of faceless transactions has resulted in heightened challenges for traditional regulated business such as credit unions. Fraudsters are becoming more sophisticated in their approach and can exploit the fact that not all regulated businesses will have the scale and resources to adapt at the same pace. As the fraudster innovates and devises new methods of obtaining personal data, the risk to transactional fraud increases for each credit union.

A recent example of new frauds arising from the pandemic is a text message from a number purporting to be the HSE, asking consumers for details in relation to their vaccination appointment. The message itself is looking to obtain a person’s PPS number, date of birth and home address. Each piece of personal data lost to a fraudster increases their ability to commit fraud and heightens the risk for individual credit unions.

Structurally, a credit union is a financial co-operative based on a common bond, governed by its members who elect a volunteer board. As a result, they can often be less adaptive and may not have the resources available to protect against fraud compared to, for example, a pillar bank who can dedicate significant financial and human capital to risk management processes that address fraud detection and prevention. 

With the heightened risk of fraud, it’s worth reminding each credit union board of their responsibility to protect member funds through revisiting the risk management cycles, namely:

• Developing a response to new or emerging fraud risks
• Implementing this strategy and assigning responsibilities to credit union officers 
• Reviewing and refining the existing risk plan
• Making decisions and taking actions that address new fraud risks

A credit union board and management should consider the adequacy of fraud detection and prevention:

• What fraud detection procedures exist?
• What are the warning signs or indicators in place to highlight fraud?
• Are the detection procedures timely?
• Does management have a process and/or controls to follow once they identify fraud?
• Are they well-versed in fraud investigations?
• What’s the follow-up action plan post-fraud?
• Will existing controls prevent new fraud methods?

Here are some practical actions boards can take: 

1. Revisit polices and consider whether areas such as data protection, fraud, counterterrorism and anti-money laundering adequately address new or emerging trends in fraud. 
2. Assess adequacy of operating procedures and challenge management on whether there is a need to updated procedures around training, user access and transaction verification.
3. Take practical steps to engage with your insurer and assess levels of cover relative to member funds held; understand what cover exist in relation to frauds. 
4. Evaluate the internal audit plan and consider whether new operational procedures arising from remote working are being addressed. 
5. Assess trends or patterns in daily transactions for unusual transactions, and consider existing limits over the two-step verification of transactions and whether they should be changed.

Crowe has over 20 years’ experience working with credit unions. We understand the sector and the increasing challenges credit union board members face with regulatory and reporting requirements. If you require any assistance, contact a member of our dedicated credit union team.